Social engineering is a tactic used by cyber criminals to manipulate individuals into divulging sensitive information or performing actions that can lead to a security breach. It continues to be a major threat to companies because it exploits human psychology and can bypass even the most advanced technical defenses. Last year, many high-profile data breaches, such as the ones at Twilio and Dropbox, resulted from social engineering attacks.

One of the most common forms of social engineering is phishing, where attackers send fraudulent emails or messages that appear to be from a legitimate source, such as a bank or a government agency. These messages often contain a link or attachment that, when clicked, installs malware on the victim's device or takes them to a fake login page where they are prompted to enter their personal information.

Another form of social engineering is "pretexting," where the attacker creates a false identity and uses it to gain the trust of the victim. This can be done over the phone, through email, or in person. The attacker will often pose as a customer service representative, a technical support agent, or even a government official in order to obtain sensitive information such as Social Security numbers, credit card numbers, or login credentials. This is a more advanced form of social engineering and less common than phishing.

Social engineering attacks can also take place in the physical world, such as "tailgating," where an attacker follows an employee into a secure area by pretending to be a colleague or a delivery person. In "shoulder surfing," the attacker observes an individual entering a password or PIN and then uses that information to gain unauthorized access.

One of the reasons why social engineering is such a significant threat to companies is that it is highly effective.

A study by the Anti-Phishing Working Group found that one in every 2,500 phishing emails results in a successful financial fraud.

Additionally, the damage caused by a successful social engineering attack can be significant. A data breach can lead to the loss of sensitive information, financial losses, and damage to a company's reputation.

Another reason why social engineering is a major threat to companies is that it is often difficult to detect and prevent. Traditional security measures, such as firewalls and antivirus software, are not designed to protect against social engineering attacks. As much as security leaders would like to automate away the risk of social engineering, we can’t because it plays on human nature. Employees may also be unaware of the tactics used by attackers and may inadvertently give away sensitive information.

To protect against social engineering, companies must adopt a multi-layered approach that includes technical and non-technical measures. Technical measures include using anti-phishing software and implementing two-factor authentication. Non-technical measures include educating employees about social engineering tactics and encouraging them to be skeptical of unsolicited emails and phone calls. Most often education takes the form of security awareness training and phishing simulations, which we feel are not enough to prevent social engineering attacks.

Like all of cybersecurity, another important aspect of protecting against social engineering is to have a clear and tested incident response plan in place. This is an incident response in the context of a phishing attack so it needs to have clear steps an employee would take if they suspect a phishing attack. This can include designating a point of contact for reporting suspicious activity, identifying key stakeholders, and establishing procedures for investigating and responding to potential phishing attacks.

Social engineering is a major threat to companies because it exploits human psychology and can bypass even the most advanced technical defenses. It is highly effective, difficult to detect and prevent, and can cause significant damage to a company's reputation and financial well-being. To protect against social engineering, companies must adopt a multi-layered approach that includes technical and non-technical measures and have an incident response plan in place.

Haekka One was built to reduce the risk of social engineering attacks. We embed security thinking where people work - SaaS apps and Slack. Haekka One continuously delivers up-to-date, relevant content based on content subscriptions, phishing sims, and user actions in apps. This approach and integrated nature help minimize the risk of social engineering.